zywall 110 failing PCI Compliance port 500(isakmp)

Options
VCIT
VCIT Posts: 9
First Anniversary First Comment
edited April 2021 in Security
Anyone having issues with this? I have run the following to take care of the TLS issue:

ip http secure-server strong-cipher

no ip http secure-server tlsv10

But this particular router seems to have an issue I have not seen on the other. The 500(isakmp) venerability. I am not set to aggressive mode. Negotiation mode is Main. Is there a lockdown for the 110?   

I am running V4.32(AAAA.0) for firmware.

basic setup. Just internet access and VPN for IT support to connect. I have even locked down the source address for the VPN's to IT support only.

Is this Firewall not capable of securing this like the other newer firewalls I have. Even the USG20 passes with no issues.


Thanks

All Replies

  • Blabababa
    Blabababa Posts: 151  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Options
    @VCIT
    What kind of isakmp vulnerability was scanned by the PCI Compliance? Do you have the PCI Compliance's further explanation about this vulnerability?
  • VCIT
    VCIT Posts: 9
    First Anniversary First Comment
    Options
    from Zyxel support:

    If you have a VPN configured it is likely recognizing the 3DES and DES algorithms used on this VPN.  You will either need to block IKE (port 500) from the outside or increase the strength of the algorithms.

     

    Keep in mind that L2TP uses 3DES and DES algorithms to work so you will not be able to use L2TP, and you may need to switch to the IP Sec VPN client.

    SSL VPN may not work either as it uses port 443 and this may not be allowed depending on the PCI scan.  You can change this port number however to something like 4434 or 444.  The clients would need to type in the public IP with a colon and the new port number.  For example 1.2.3.4:4434.  Note that this would require a policy control rule to allow port 4434 (or what ever port you chose) From WAN To Zywall.


  • Blabababa
    Blabababa Posts: 151  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Options
    @VCIT
    As I remember, the ZyWALL 110 supports L2TP over IPSec which can stronger the encryption mechanism. Moreover, SSL VPN by default is using the device's HTTPS port (443), if you change the device HTTPS service port from 443 to the others, it may help.
  • VCIT
    VCIT Posts: 9
    First Anniversary First Comment
    Options
    What is funny is that I Have another client with the same IPSec L2TP and it passed just fine. it is a USG-20  I did have to block tls v1.0 with:

    ip http secure-server strong-cipher

    no ip http secure-server tlsv10

    and the scan passed with no issues. 

Security Highlight